Nick FitzGerald <nick@virus-l.demon.co.uk> wrote: <snip> > A better workaround (assuming that you feel cookies are "relatively > useful" and would rather not turn them off) is to put about: URLs > into the Restricted Sites zone, as detailed in Andrew Clover's > followup to his own post: > http://www.securityfocus.com/archive/1/222552 > In short, create a DWORD value named "about" under: > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults > and set it to 4. > I just tested this against your test page and with the above value > set, the test tells me "No cookies found for site...". > Interestingly, this registry change seems to have almost immediate > effect -- i.e. it did not require a restart or logout/login or even > an IE exit/restart (I did this on Win2K) but occasionally, when > running the test page over and over alternating back and forward > between having the above value set and not present (the default), the > page would work as if the registry value had not yet been changed. <snip> I validated your test results with Windows 98 SE (4.10.2222A) in a multi-user environment and Internet Explorer 5.5 (5.50.4807.2300IC with SP2; Q306121 installed), both fully patched with latest updates. I also validated your test results with Windows Me (4.90.3000) and Internet Explorer 5.5 (same version as above) and then again after upgrading to IE 6.0 (6.0.2600.0000). In all cases, the registry change did not require a system reboot to take effect. However, when I attempted to validate your test result with IE 5.5 by toggling the registry settings between "0" and "4", I noticed that increasing the security setting takes effect immediately, while reducing it requires a new instantiation of IE and will not take effect in the current window. Changing the registry value from "0" to "4" would change the output results on the test Web page from displaying cookies to reporting "No cookies found for site...". Resetting the value from "4" to "0" had no effect the current instantiation of IE, but the new registry value would take effect upon opening a new IE window, but still not in the previous IE window. (Isn't multi-tasking fun? <smirk>). This wasn't the case with IE 6.0, however. Toggling the registry settings between "0" and "4" took immediate effect in the current window when both increasing and decreasing the setting. Therefore, increasing the cookie security setting will take effect immediately in both IE 5.5 and 6.0 in all open IE windows. Decreasing the setting will only take effect in a new window in IE 5.5 regardless of whether or not the previous windows (including the REGEDIT window) are still open or not. Decreasing the setting in IE 6.0 will have immediate effect and make the browser vulnerable to the exploit. Cool stuff! Thanks, Nick, for reminding us of Andrew's post. Cheers, Jeff Jeffrey W. Dronenburg, Sr. MIS Major, Univ. of Maryland, Univ. College Alpha Sigma Lambda Phi Kappa Phi "A day without learning is like apple pie without ice cream. They're both much sweeter the other way around." -Me! :-)
